Bomb Threats and Bitcoin – Forcepoint Security Labs has been monitoring a persistent strain of hoax emails attempting to blackmail or otherwise extort their recipients for the past year. This type of email has been widely reported, and the sheer volume suggests that it is nothing more than a hollow threat.
The use of violence as a motivator [Bomb Threats and Bitcoin]
One of last week’s campaigns, however, marked a significant shift: instead of sending wild (and occasionally lurid) threats of embarrassment, the perpetrators threatened victims with bomb and acid attacks.
These hoaxes attempt to gain credibility by using names of explosive chemicals (e.g. hexogen, lead azide, trinitrotoluene, tetryl). These messages also included a higher-than-usual demand of $20,000, presumably because the perpetrators expected to target organisations with more money than individuals targeted in previous campaigns.
However, the email’s complete lack of specific information about the victim is the first indication that all is not as it appears, and an examination of the campaign as a whole reveals a template email sent to many different companies around the world. [Bomb Threats and Bitcoin]
Non-specific phrases like ‘the building where your company is located’ and ‘you must send money by the end of the working day’ highlight the emails’ generality and would imply a bizarre lack of knowledge on the part of the perpetrator in the case of a genuine bomb threat.
Take note of the disclaimer at the bottom of the email, in which the perpetrators appear to deny foreknowledge or involvement in any real bomb threats that may have occurred on the same day.
The other template used in conjunction with the recent bomb threats is based on acid attacks, with colourful (and unlikely) phrases like’splashing sourness in your visage’. [Bomb Threats and Bitcoin]
The sender of the email has been hired to cause harm to the victim, but they are willing to stand down and share information on their client in exchange for $1600 in bitcoin, according to the campaign.
Scale feasibility
Forcepoint has seen far too many messages in this campaign – and others like it – to give the threats any legitimacy.
We have blocked over 335,000 emails of this type in the last week, with a peak of over 100,000 on December 13th.
We can also see that the campaign’s targets have been spread across many countries and regions. The main target countries are the United States, the United Kingdom, and Australia, with over 200,000 recipients having a TLD of.com,.uk, or.au.
When the.com,.uk, and.au TLDs are excluded, it becomes clear that there was a wide range of other countries targeted, with a primary focus on mainland Europe and New Zealand. [Bomb Threats and Bitcoin]
A tumultuous past
This theme of sending harmless emails in order to avoid email analytics and extort money from people has been around for a long time. For example, we saw some email campaigns last summer that used a bitcoin address and a simple sob story to ask for a few dollars for someone in need:
The criminals quickly realised that this was ineffective and switched from appealing to people’s goodwill to threatening them with embarrassment. These campaigns have been widely reported in recent years, and we even published a blog in August 2017 highlighting the main targets and scope of this scam email campaign.
Over the course of the year, we’ve seen many small changes and variations in the content of these emails, such as the addition of previously-leaked passwords to add some credibility to the threats and experimenting with the amount of ransom money to determine the amount most likely to be paid by the victims, which has generally ranged between $300 and $6000. [Bomb Threats and Bitcoin]
Conclusion
Sextortion campaigns have always been about the individual: they preyed on shame and embarrassment, hoping that protecting one’s personal reputation would be a strong enough motivator to pay the fee. It was in many cases.
The shift to targeting businesses was perhaps an unlikely (or, at the very least, ill-advised) strategy for this type of campaign. Bomb threats are never taken lightly, and universities, schools, and businesses immediately contacted the authorities.
The model of the bitcoin extortion campaign had shifted in response to the communal threat, as had the communal response of police and media attention. As a result of this attention (and possibly a poor’return’ on the campaign), the afternoon’s campaign reverted to targeting individuals, though the threat of violence remained. [Bomb Threats and Bitcoin]
While caution should be exercised when acting on information containing threats of violence, regardless of the specific content of these messages, these are mass extortion campaigns. The specifics of the threats may change, but they are likely to remain a fixture of the email campaign landscape for some time.
Statement of protection
Customers of Forcepoint are protected against these campaigns at the following stages of attack:
Stage 2 (Lure) – This campaign’s e-mails are identified and blocked.